Azure @ Enterprise - PowerShell log in as service principal + certificate and generate JWT access token

The enterprise always loves to increase the security posture. One authentication approach enterprise takes in Azure is App registration with a service principal. The advantage here is that the service principal can use certificates to authenticate instead of passwords. Certificates are secure than passwords as those can be centrally managed.

Problem

If our application uses the service principal + certificate and it is working fine, there is no issue. But the problem starts when something goes wrong. If we log in to the portal using our credentials and try scenarios that are failing, we may see everything works fine. But things go wrong when the application logs in using service principal. It may be a permission issue, expired certificates or passwords, etc...

What if the problems appeared first in production where enterprises don't allow any changes to the environment. ie no debugging tools are allowed to install etc...

Solution

The solution is to troubleshoot the scenario as close as how the application works. We have to log in as the service principal and try the application scenarios. 

As always in enterprise the best method to troubleshoot in production environments is PowerShell. Below goes the code to log into Azure from PowerShell using service principal and generating a JWT access token.

	################ Azure login params ###################
	$ServicePrincipalCertificateThumbprint = ''
	$TenantId = '' #This is AAD Tenant Id where the below app registration is created, not Subscription Id
	$ApplicationId = '' #THis is the application registration id sometimes called clientId. Make sure this app registration has permission to send message.
	################# One time install ####################
	$azAccountsInstalled = Get-InstalledModule Az.Accounts
	if( ! $azAccountsInstalled) {
	Install-Module Az.Accounts -AllowClobber
	}
	else{
	Write-Host "Az.Accounts already present" -ForegroundColor Yellow
	}
	#######################################################
	# Connect using service principal and validations
	# If running from Linux use certificate path https://docs.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-6.4.0#example-9--connect-using-certificate-file
	Connect-AzAccount -CertificateThumbprint $ServicePrincipalCertificateThumbprint -SendCertificateChain -ApplicationId $ApplicationId -Tenant $TenantId -ServicePrincipal

view raw connect-azaccount-service-principal.ps1 hosted with ❤ by GitHub

	# Change the -ResourceUrl based on scenario. Below is for ServiceBus
	$accessToken = Get-AzAccessToken -ResourceUrl https://servicebus.azure.net/

view raw get-accesstoken.ps1 hosted with ❤ by GitHub

The Connect-AzAccount cmdlet provides different ways to log in. Using the service principal is one of the methods.

Please note that the Az.Accounts need a minimum of Windows PowerShell 5.1 or PowerShell 7 version.

Once the PowerShell session is authenticated, we can perform various operations as the service principal. 

In most cases, the access token is not really required. There are PowerShell SDKs for most of the Azure services. We can directly use them. But in some cases like interacting with the data plane of Service Bus, we may need to use the access token and embed it in the Authorization header of the HTTP request.

Limitations

It reads the certificate from the personal store unless loaded from a file. We cannot pass an X509Certificate object to the Connect-AzAccount cmdlet. There is already an issue in GitHub to track it.

Update : 2021-10-30

What if we don't have permission to install Az.Accounts module?

Recently, I came to one production debugging situation where there is no permission to install the Az.Accounts module and even no connectivity to the internet to get the module. The only way is to write everything ourselves. Fortunately, someone had already done that and it is available publicly. If interested read the official docs.